Directory Synchronization - Azure Active Directory Integration

Updated

This article contains information on configuring Azure Active Directory integration with Mimecast for automated directory synchronization, including setup steps, required permissions, validation, and synchronization schedules.

Mimecast can import all of your end-user email addresses, AD groups, AD group membership, and user attributes. To add a layer of security, the connectivity between your Mimecast account and your Azure tenant gets facilitated by a Connector.

Once the service is activated, Mimecast and Azure Active Directory will automatically attempt a synchronization 3 times daily. This removes the administrative overhead of performing these tasks manually.

The workflow is as follows:

  1. User, User Attribute, Group, and Group Membership data is requested from the Azure Active Directory.
  2. Azure Active Directory returns the requested data, which is processed and committed to the Mimecast platform.

The graphic below displays the Directory Sync workflow:

Directory Synchronization workflow

Considerations

  • We do not support replicating Microsoft 365 Dynamic Distribution group members, due to limitations in the Microsoft Graph API.
  • Passwords are not synchronized. To allow users to log on to Mimecast applications using their Microsoft 365 / Microsoft Azure credentials, you must also configure Single Sign-On (SSO). Check our SSO articles for additional information.
  • You won't be able to pull in mail-enabled public folder email addresses via the Azure Active Directory Sync, as this isn't supported in the Microsoft Cloud platform. However, you can manually import these as needed, as not doing so interrupts mail flow as it will not pass our default recipient validation checks.
  • Mimecast Services Limited requires the following permissions to your Microsoft environment to enable Directory Synchronization:
  1. Read all users' full profiles.
  2. Read directory data.
  3. Sign in and read the user profile.

Prerequisites

You will need:

  1. A Basic Administrator role in Mimecast.
  2. Access to the Mimecast Administration Console with Edit permissions to:
      • The Users & Groups | Directory Synchronization functionality.
      • The Integrations | Connectors functionality.
  1. The credentials of the Microsoft 365 / Microsoft Azure global administrator (or an administrator login within Microsoft 365 that can grant consent).
  2. Ensure that you have configured both mail and proxy address attributes in your environment for a successful directory sync.
  3. You will need to grant the following permissions to complete the setup:
Directory Sync permissions

 

MS Entra App Permission Common Name Application /Delegate Identifier Permission Description MS KB Permissions Reference
Directory.Read.All Read directory data 7ab1d382-f21e-4acd-a863-ba3e13f7da61 Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. Microsoft Graph permissions reference - Microsoft Graph
Domain.Read.All Read domains dbb9058a-0e50-45d7-ae91-66909b5d4664 Allows the app to read all domain properties without a signed-in user. Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn
User.Read.All Read all users' full profiles df021288-bdef-4463-88db-98f22de89214 Allows the app to read user profiles without a signed in user. Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn
User.Read Sign in and read user profile e1fe6dd8-ba31-4d61-89e7-88639da4683d Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn

Creating an Azure Active Directory Integration

To add a Microsoft Azure Directory integration:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Directory Synchronization.
  3. Click on the Create New Integration button.
  4. Configure the dialog as follows:
Field / Option Description
Name Give the integration a name.
Description Type a description to identify the integration.
Type Select Microsoft Azure - Standard or Microsoft Azure - GCC HIGH, depending on the Microsoft environment that hosts your Azure tenant.
  1. Click on the Next button.
  2. Select Create New Connector and enter a Name for the Connector and a Description (optional). If you previously already created the Connector, select Choose Existing Connector and select the correct one from the drop-down menu. 
  3. Click login, follow the Microsoft consent workflow, verify the requested permissions, and click Accept.
  4. Select Next.
  5. Set the additional integration options:
Field / Option Description
Acknowledge Disabled Accounts If selected, user accounts disabled in Active Directory are also disabled in Mimecast.
Filter Email Domains Optionally list the domains the directory integration synchronizes with. This can be used when multiple directory integrations are dedicated to specific domains, or when your Mimecast account is part of an Advanced Account Administration setup.

Entries must be comma-separated, and no spaces can be used.
Include Contacts Enable to include organizational contacts.
Include Guest Accounts Enable to include internal guest accounts.
Maximum Sync Deletions This maximum number of accounts will be updated to "Created by Message in transit" when they are no longer part of the synchronization result. See Maximum Sync Deletions & Deleted Users for more information.
Delete Users When selected, accounts which would have been set to "Created by Message in transit" will instead be deleted, subject to the limits set in "Maximum Sync Deletions." Please note addresses already marked as "Created by Message in transit" will not be affected. See Maximum Sync Deletions & Deleted Users for more information. 
  1. Click Next.
  2. Review the integration details and click Create Integration.

Validating Your Configuration

To validate your settings:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Directory Synchronization.
  3. Select the Directory integration you want to test.
  4. Click on the Test Connection tab. The test will commence.

A series of tests will be performed. They include:

  1. Connectivity tests
  2. Connector tests
  3. Sample address test

A tooltip will display additional information, including possible solutions, if a test fails.

Verifying Your Integration

Once the service is activated, Mimecast and Azure Active Directory will automatically attempt a synchronization 3 times daily. Such synchronizations get initiated during the following time window:

  •  8 a.m. and 11 a.m.
  •  1 p.m. and 4 p.m.
  • 12 a.m. and 3 a.m.

These are based on the time zone your Mimecast account is hosted in. For the Europe region (besides accounts hosted in Germany), the timing is in GMT. The timing for the North American "CUSA" region is in EST.

To validate that your scheduled synchronizations are completing successfully, you can view the status of a directory integration, review Audit Logs for completed syncs, or request a synchronization:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Directory Synchronization.
  3. Click on the Sync All button to trigger a synchronization.

Related to

Was this article helpful?
2 out of 6 found this helpful

Comments

0 comments

Please sign in to leave a comment.